Although there are good reasons (as I detail in the video) for sometimes changing passwords, there are real dangers that regularly changing your passwords will lead you into the dangerous territory of choosing poor passwords.

Poor because they might be predictable and easy-to-guess, easy-to-crack, or simply not unique.

In my experience, enforcing regular password changes can lead to people falling into the trap of weaker passwords rather than strengthening their security.

When there are good reasons to change your passwords, you should definitely change them - and make them strong, hard-to-crack and unique. I recommend using a password manager to generate random passwords and to store them securely for you. If you’re anything like me then you will have far too many passwords to ever have a hope in hell of remembering them for yourself, so let technology do the heavy lifting for you.

About the author, Graham Cluley

Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy.

12 Responses

The other unusual advice I give to people is, write your passwords down, either by using a password manager, or by using a “system”. A “system” would be, for example, like the way I write down my PIN numbers. I keep my PIN numbers (and the number for my bike lock) in the same place as my credit card, except I’m not quite that stupid. I add a “special number” before I write it down, so that if a thief steals my wallet, then what’s written down is useless unless he guesses my “special number”, which is, of course, as difficult to guess as the PIN itself.

When asked to change a password monthly, obviously I resort to the password1, password2, password3 scheme, because a monthly password change for no reason is just stupid.

I started using Lastpass years ago and its password generation facility is first class. I set the default to twelve characters but could make it longer. One issue which sometimes arises is when websites won’t accept characters, only alphanumerics and I have to manually edit the suggested, strong password!

It also let’s you do a strength audit on your password vault and highlights weak or duplicate paswords.

I also use a Yubikey for two stage verification at all times and have successfully used it all over the world, loading the Lastpass extension to the browser.

Since receiving an email from Facebook saying “sorry you’ve been having trouble logging in” when I hadn’t (!) and finding an old password on pwndlist, I’ve become a great fan of 2SV using my mobile phone and have it in place for all my important accounts.

Perhaps Graham should do a review of password manager products, Yubikey etc.

I agree too though it’s hard to persuade Auditors that moving away from a regular change makes sense. Personally, in the corporate world, I would prefer to run a password cracking program all the time requiring users to reset any cracked password at the next opportunity. This becomes a game for the user to use only strong passwords (i.e. ones that I can’t crack easily) and then they can keep it for as long as it’s not cracked. I can’t get this approved by any Auditor though :-)

I think password managers are definitely its a long discussion with my family and customers alike to get their buy in but once they see how easy they are to use. They are usually really happy to use them. Knowing they have a little more protection.

- some are closed source
- some you have to pay for
- you’re putting all your eggs in one basket
- you’re trusting your security to somebody else
- if you forget your password you lose everything
- if you don’t backup your database (or it gets corrupted) you lose everything
- some only work on some devices, e.g. a computer-based one may not work on your mobile

- for cloud-based services, if they get hacked (and they’ve made a mistake in their security) then you get compromised
- cloud-based services are also a massive target for hackers.

There are pros and cons. I recommend some people use them and others not to based upon their circumstances. The last thing you want to do is make them more insecure.

Alternatively if you want a commercial solution go with 1Password which integrates well with other operating systems and is frequently updated. Downside: it’s closed source and it’s expensive.

https://1password.com/

(Steer clear of LastPass which is now owned by LogMeIn. If you want to look at other commercial services then consider Dashlane and RoboForm but because KeePass is so good there’s no real reason to pay for something.)

Your organisation shouldn’t need to evaluate your password policy just because of what CESG said. Your company shouldn’t have imposed stupid policies (I’m assuming they have) in the first place.

Organisations should think for themselves and implement an appropriate policy instead of relying on generic government advice (no matter how good). There’s no substitute for bespoke advice and proper security/risk assessment.

You know Graham.. it’s a bit scary sometimes… not too long ago I was debating writing about password ageing (the proper term) and how bad of an idea it is; and this has happened with other things you’ve written about relative to what I’ve contemplated. Maybe I will at some point but this thought (and I would have if I had more motivation and time/energy) was within the past fortnight at most.

Of course it’s a terrible idea because it encourages writing down passwords; recycling passwords; sharing passwords (not that writing passwords isn’t sharing…); it is inconvenient so therefore makes it less secure; it encourages working around the system.…

In short: password ageing is quite old and it’s outdated esp with password managers.

Good food for thought but what is considered frequent change? Most firms I’ve worked for over the last several years force changing every three months. I think ISO 27001 and NIST call for 90 day changes. Is 90 days too frequent?

Smashing Security podcast

Online drug dealers get busted due to poor OPSEC! People are still failing to wipe their USB sticks properly! A potential presidential candidate is outed as a former hacker! Flat Earthers! Pi! Empathy!